Canonical Unveils ‘Everything LTS’: 12-Year Security for Custom Docker Images
Canonical, the company behind Ubuntu, today announced a significant expansion of its Long Term Support (LTS) offering, extending beyond traditional ‘deb’ packages to include a new distroless Docker image design-and-build service. This service provides 12 years of security maintenance for any open-source application or dependency, regardless of whether the software is already packaged in Ubuntu.
“Everything LTS means CVE maintenance for your entire open source dependency tree, including open source that is not already packaged as a deb in Ubuntu,” said Mark Shuttleworth, CEO of Canonical. “We deliver distroless or Ubuntu-based Docker images to your specification, which we will support on RHEL, VMware, Ubuntu, or major public cloud Kubernetes. Our enterprise and ISV customers can now count on Canonical to meet regulatory maintenance requirements with any open source stack, no matter how large or complex, wherever they want to deploy it.”
Canonical’s new ‘Everything LTS’ initiative expands Ubuntu Pro by integrating thousands of new open source components, including the latest AI/ML dependencies and tools for machine learning, training, and inference. These components are maintained as source alongside Ubuntu instead of traditional ‘deb’ packages. This commitment to CVE security maintenance ensures compliance with regulatory standards such as FIPS, FedRAMP, the EU Cyber Resilience Act (CRA), the FCC U.S. Cyber Trust Mark, and DISA-STIG.
Customers can now engage Canonical to design a Docker image of an open-source application or a base image that includes all necessary dependencies to host their proprietary apps. They receive hardened distroless container images with a minimal attack surface and long-term CVE maintenance. These images, adhering to the Open Container Initiative (OCI) standard, run natively on Ubuntu, Red Hat Enterprise Linux (RHEL), VMware Kubernetes, or public cloud Kubernetes platforms. Canonical supports these custom-built images across all these environments.
Industry research indicates that 84% of codebases have at least one open-source vulnerability, with 48% of those vulnerabilities being high risk. Distroless containers, which include only the files necessary to run a single application, present a smaller attack surface and are thus harder to exploit.
Chiselled Ubuntu containers, built with Chisel, include only the files strictly required for the application, excluding surplus metadata and tools. This results in ultra-small, efficient containers that significantly reduce the attack surface while leveraging the familiar Ubuntu toolchain. Developers can work in a full Ubuntu environment and then use Chisel to create a distroless production artifact, simplifying debugging and analysis.
Canonical’s container design and build service includes analyzing the app dependency tree, identifying unlisted open-source components, bringing them under CVE maintenance, and creating a chiselled distroless container image. Automated pipeline updates ensure that critical patches are promptly applied, minimizing vulnerabilities.
Canonical has also partnered with Microsoft to create chiselled containers for the .NET community, reducing the official .NET container size by 100 MB. For self-contained .NET applications, the chiselled runtime base image is only 6 MB compressed, enhancing performance and reducing memory overhead. This partnership ensures a trusted supply chain and seamless integration.
